US10277586B1ActiveUtility

Mobile authentication with URL-redirect

93
Assignee: SYNIVERSE TECHNOLOGIES LLCPriority: Oct 29, 2018Filed: Oct 29, 2018Granted: Apr 30, 2019
Est. expiryOct 29, 2038(~12.3 yrs left)· nominal 20-yr term from priority
H04L 9/3228G06F 9/541H04L 67/02H04L 2209/80H04L 47/193H04L 9/0863H04W 12/04H04L 67/146H04L 63/0807H04L 9/3213H04L 63/0838H04L 61/2592H04W 12/06H04L 2101/654H04L 2101/65
93
PatentIndex Score
15
Cited by
33
References
20
Claims

Abstract

This invention is a system and method for mobile authentication using HTTP redirect in GTP tunnels. The authentication procedure generates a one-time-token that returns to the Enterprise application that requests the authentication. The authentication platform injects a HTTP redirect response to the mobile device via the GTP-U tunnel that corresponds to the GTP session of the inputted-MSISDN. The HTTP redirect response carries a URL with the one-time-token as parameter. The Enterprise application authenticates the HTTP request by comparing the one-time-token in the HTTP request parameter against the value returned by the authentication platform during its authentication request API call.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of mobile authentication, the method comprising the steps of:
 receiving an alleged mobile station international subscriber directory number (MSISDN) value from a mobile device connected to a remote server application over a hypertext transfer protocol (HTTP) request within a general packet radio service tunneling protocol (GTP) uplink tunnel; 
 retrieving GTP session data for the alleged MSISDN received from the remote server application for the mobile device connection; 
 verifying the alleged MSISDN value exists in the retrieved GTP session data; 
 generating a cryptographic token value accessible by the remote server application; 
 saving the token value, the alleged MSISDN value and the GTP session data in a data store; and 
 injecting an HTTP redirect response within a GTP downlink tunnel associated with the alleged MSISDN, the response including the token value as a uniform resource locator (URL) parameter wherein the redirect causes the mobile device to initiate another connection to the remote server application which is communicatively coupled to the data store, wherein the token value is retrieved from the new redirected connection URL parameter and evaluated against the token value in the data store whereby the alleged MSISDN value is authenticated as valid should the token value in the data store and URL parameter match. 
 
     
     
       2. The method of  claim 1  wherein the redirected connection URL is over hypertext transfer protocol secure (HTTPS). 
     
     
       3. The method of  claim 1  wherein the cryptographic token is a one-time password. 
     
     
       4. The method of  claim 1  wherein the HTTP request from the mobile device and the HTTP redirect response each have a transmission control protocol (TCP) sequence, the method further comprising the step of constructing the redirect response so that its TCP sequence matches that of the TCP sequence of the connection from the mobile device to the remote server. 
     
     
       5. The method of  claim 1  wherein a transaction identification value is assigned to HTTP request over the GTP tunnel with the alleged MSISDN received by the remote server, the transaction identification value is passed back as the URL parameter in the redirect response. 
     
     
       6. The method of  claim 1  wherein the GTP session data is obtained from CreatePDPSession and CreatePDPResponse messages for GTP version 1 (GTPv1) protocols. 
     
     
       7. The method of  claim 1  wherein the GTP session data is obtained from CreateSessionRequest and CreateSessionResponse messages for GTP version 2 (GTPv2) protocols. 
     
     
       8. The method of  claim 1  further comprising the step of capturing and decoding GTP-C and GTP-U packets in passive mode with a GTP packet analyzer. 
     
     
       9. The method of  claim 1  further comprising the step of capturing GTP-C messages by port-mirroring network switches. 
     
     
       10. The method of  claim 1  further comprising the step of capturing GTP-U messages by port-mirroring network switches. 
     
     
       11. The method of  claim 1  further comprising the step of deploying a GTP proxy server for obtaining GTP session data including GTP-C and GTP-U packets. 
     
     
       12. A method of mobile authentication, the method comprising the steps of:
 receiving an alleged mobile station international subscriber directory number (MSISDN) value from a mobile device connected to a remote server application over a hypertext transfer protocol (HTTP) request within a general packet radio service tunneling protocol (GTP) uplink tunnel, the mobile device communicatively coupled to an enterprise application; 
 sending an authentication request from the enterprise application to an authentication platform, the authentication request including a transaction reference value and the alleged MSISDN value; 
 the authentication platform retrieving GTP session data for the alleged MSISDN received from the remote server application for the mobile device connection and verifying the alleged MSISDN value exists in the retrieved GTP session data, wherein, upon verification, a cryptographic token value is generated; 
 saving the token value, alleged MSISDN value and GTP session data in a data store communicatively coupled to the authentication platform and passing an authentication response from the authentication platform to the enterprise application, the authentication response including the transaction reference value and the token value; 
 the mobile authentication platform injecting an HTTP redirect response within a GTP downlink tunnel associated with the alleged MSISDN, the response including the transaction reference value, token value and alleged MSISDN value as uniform resource locator (URL) parameters to the mobile device wherein the redirect causes the mobile device to initiate another connection to the remote server application, wherein the token value is retrieved from the new redirected connection URL parameter and evaluated against the token value in the data store whereby the alleged MSISDN value is authenticated as valid should the token value in the data store and URL parameter match. 
 
     
     
       13. The method of  claim 12  wherein the redirected connection URL is over hypertext transfer protocol secure (HTTPS). 
     
     
       14. The method of  claim 12  wherein the cryptographic token is a one-time password. 
     
     
       15. The method of  claim 12  wherein the HTTP request from the mobile device and the HTTP redirect response each have a transmission control protocol (TCP) sequence, the method further comprising the step of constructing the redirect response so that its TCP sequence matches that of the TCP sequence of the connection from the mobile device to the remote server. 
     
     
       16. The method of  claim 12  further comprising the step of capturing and decoding GTP-C and GTP-U packets in passive mode with a GTP packet analyzer. 
     
     
       17. The method of  claim 12  further comprising the step of capturing GTP-C messages by port-mirroring network switches. 
     
     
       18. The method of  claim 12  further comprising the step of capturing GTP-U messages by port-mirroring network switches. 
     
     
       19. The method of  claim 12  further comprising the step of deploying a GTP proxy server for obtaining GTP session data including GTP-C and GTP-U packets. 
     
     
       20. A method of mobile authentication, the method comprising the steps of:
 receiving an alleged mobile station international subscriber directory number (MSISDN) value from a mobile device connected to a remote server application over a hypertext transfer protocol (HTTP) request within a general packet radio service tunneling protocol (GTP) uplink tunnel, the mobile device communicatively coupled to an enterprise application; 
 sending an authentication request from the enterprise application to an authentication platform, the authentication request including a transaction reference value and the alleged MSISDN value; 
 the authentication platform retrieving GTP session data for the alleged MSISDN received from the remote application server for the mobile device connection using packet mirroring in network switches conveying GTP-C and GTP-U messages between serving general packet radio service support node (SGSN) and gateway general packet radio service support node (GGSN), the messages including international mobile subscriber identity (IMSI), MSISDN, uplink tunnel ID and downlink tunnel ID for both GTP-C and GTP-U planes; 
 extracting from the GTP-U messages, a TCP sequence number for the HTTP connection between the mobile device and the enterprise application; 
 the authentication platform further verifying the alleged MSISDN value exists in the retrieved GTP session data, and mapping the MSISDN value to a tunnel endpoint identifier wherein, upon verification that the MSISDN value exists in the GTP session data, generating a cryptographic token value; 
 saving the token value, alleged MSISDN value and GTP session data in a data store communicatively coupled to the authentication platform and passing an authentication response from the authentication platform to the enterprise application, the authentication response including the transaction reference value and the token value; 
 
       the mobile authentication application injecting an HTTP redirect response packet with a transmission control protocol (TCP) acknowledgment number derived from the TCP sequence number previously extracted from the GTP-U messages whereby the mobile device will accept the packet without an out-of-sequence error, the HTTP redirect response sent within a GTP downlink tunnel associated with the alleged MSISDN, the response including the transaction reference value, token value and alleged MSISDN value as URL parameters to the mobile device wherein the redirect causes the mobile device to initiate another connection to the enterprise application, wherein the token value is retrieved from the new redirected connection URL parameter and evaluated against the token value in the data store whereby the alleged MSISDN value is authenticated as valid should the token value in the data store and URL parameter match.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.